Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 19:31
Static task
static1
Behavioral task
behavioral1
Sample
Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe
-
Size
851KB
-
MD5
629be165860d2336755de85467756639
-
SHA1
af1da57d01a00bf942e127cce60fb4208bfd9795
-
SHA256
e9617a78c93e6d5cdc1087dfa6e9bf9d63406e05b6b01135c189242a7c33718c
-
SHA512
418f56a804212158033b1ae592cafeb8fa1c5a0d9506eb541beb7762c23ebfe5c61dbac8588c350816c229e9f6d77457e361423146874695976c1b8d9267cbff
-
SSDEEP
24576:ZNAsPMh+Cdd8509puHmATonQ1htKzWbGWO:dPMvA509pkonAhtHbnO
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
pid Process 2120 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2120 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2120 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2120 set thread context of 2268 2120 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 2268 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2120 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2268 2120 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 95 PID 2120 wrote to memory of 2268 2120 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 95 PID 2120 wrote to memory of 2268 2120 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 95 PID 2120 wrote to memory of 2268 2120 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 95 PID 2120 wrote to memory of 2268 2120 Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe"C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe"C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5be2621a78a13a56cf09e00dd98488360
SHA175f0539dc6af200a07cdb056cddddec595c6cfd2
SHA256852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5
SHA512b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1